diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b78ceace..55169b77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,8 @@ jobs: with: fetch-depth: 0 - run: git fetch --force --tags + - uses: anchore/sbom-action/download-syft@v0.7.0 # installs syft + - uses: sigstore/cosign-installer@v2.1.0 # installs cosign - name: Install RPM tooling run: sudo apt-get install -y rpm - name: Set up QEMU @@ -92,4 +94,4 @@ jobs: -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/unpoller/helm-chart/actions/workflows/OnUnpollerRelease/dispatches \ - -d '{"ref":"main","inputs":{"unpoller_version":"${{github.ref_name}}" }}' \ No newline at end of file + -d '{"ref":"main","inputs":{"unpoller_version":"${{github.ref_name}}" }}' diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 709db06e..adbccb97 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -77,14 +77,14 @@ builds: archives: - id: unpoller - builds: + ids: - unpoller files: - LICENSE - README.md - examples/up.*.example - id: unpoller-linux-arm - builds: + ids: - unpoller-linux-arm files: - LICENSE @@ -92,7 +92,7 @@ archives: - unpoller_manual.html - examples/up.*.example - id: unpoller-mac - builds: + ids: - unpoller-mac files: - LICENSE @@ -102,8 +102,9 @@ archives: - id: unpoller-windows format_overrides: - goos: windows - format: zip - builds: + formats: + - zip + ids: - unpoller-windows files: - LICENSE @@ -113,9 +114,10 @@ archives: - examples/up.*.example - init/windows/application.ico - id: unpoller-freebsd-pkg - builds: + ids: - unpoller-freebsd - format: tar.xz + formats: + - tar.xz wrap_in_directory: false files: # config files @@ -309,9 +311,22 @@ docker_manifests: - "golift/unifi-poller:v{{ .Major }}-arm64v8" - "golift/unifi-poller:v{{ .Major }}-armv7" + +# signs our docker image +# https://goreleaser.com/customization/docker_sign +docker_signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + artifacts: images + output: true + args: + - 'sign' + - '${artifact}' + nfpms: - id: unpoller-packages - builds: + ids: - unpoller - unpoller-linux-arm file_name_template: '{{ .ProjectName }}_{{ if eq .Os "darwin" }}macOS{{ else if eq .Os "linux" }}Tux{{ else }}{{ .Os }}{{ end }}_{{ if eq .Arch "386" }}32-bit{{ else if eq .Arch "amd64" }}64-bit{{ else }}{{ .Arch }}{{ end }}{{ if .Arm }}v{{ .Arm }}{{ end }}' @@ -507,6 +522,21 @@ signs: - unpoller-linux-arm - unpoller-windows - unpoller-mac + # signs the checksum file + # all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to + # https://goreleaser.com/customization/sign + - id: cosign + cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: checksum + output: true universal_binaries: - replace: true @@ -552,6 +582,15 @@ brews: post_install: | etc.install "examples/up.conf" => "unpoller/up.conf" +# creates SBOMs of all archives and the source tarball using syft +# https://goreleaser.com/customization/sbom +# Two different sbom configurations need two different IDs +sboms: + - id: archive + artifacts: archive + - id: source + artifacts: source + publishers: - name: "packagecloud-publisher" ids: